The Data Protection Officer – Is there a new sheriff in town?

Privacy compliance in Europe will soon take a big step forward with the General Data Protection Regulation (GDPR). When the GDPR comes into effect on 25 May 2018, many organizations must appoint a Data Protection Officer (DPO). What is the DPO’s role and how can you ensure success?

The GDPR provides a comprehensive compliance framework for data protection in Europe. The GDPR requires that many organizations appoint a DPO. The DPO will be a key player in this new data protection reality. Does your organization require a DPO? If so, what steps must be taken regarding their appointment, position and tasks?

To determine whether your organization falls in scope of the EU GDPR, read up on our previous coverage.

When is designating a DPO mandatory

There are a few situations where a DPO is mandatory according to the GDPR. One such situation is “where the (1) core activities of the controller or the processor consist of processing operations, which require (2) regular and systematic monitoring of data subjects on a (3) large scale.” A closer look at the main elements of this sentence provides a better understanding of its meaning:

Core activities: Core activities are the key operations necessary to achieve the organization’s goals. Relevant data processing activities include processing operations which are inextricably linked to the organization’s key operations. For example, an insurance company cannot provide its core task of providing health insurance without processing health data – its personal data processing is related to core activities. However, a manufacturing organization that processes the personal data of 20,000 employees for HR purposes, doesn’t do so in relation to the organization’s core activities. As a result, the DPO obligation wouldn’t directly apply.

Regular and systematic monitoring: The notion of regular and systematic monitoring of data subjects includes all forms of tracking and profiling, both in the online and offline environment. Consider, for example, a bank using behavioral profiling to offer specific services to individuals.

Large scale: Another prerequisite for mandatory appointment of a DPO is that processing is carried out on a large scale. Unfortunately, there’s no precise figure given regarding the amount of data processed or number of individuals. Yet from the guidance provided, processing personal data in the regular course of business by a midsize or large company shall, in general, be considered as large-scale processing. Two examples are the client data collected by a global insurance company or the data gathered by a large web shop operating in multiple countries.

The DPO’s tasks and qualifications

The DPO should check and monitor internal compliance with the GDPR and should identify and offer guidance on processing activities. The DPO also has an important role when carrying out Privacy Impact Assessments. Consequently, according to GDPR, the DPO “shall be designated on the basis of professional qualities and expert knowledge of data protection laws and practices…” Hence, the DPO should have expertise in national and European data protection laws and in-depth understanding of the GDPR. It’s also advisable that the DPO has broad knowledge of information systems and data security.

Other conditions to consider

In addition to the DPO role itself, the GDPR also explicitly requires the allocation of resources necessary to carry out the DPO’s tasks. The more comprehensive and sensitive the processing operations are, the more resources should be assigned to support the DPO. The DPO should also be positioned and enabled with a sufficient degree of autonomy to perform their task and make a dissenting opinion clear to decision makers. This means that the DPO role could not be combined with other roles, such as the head of HR, which require making decisions about an organization’s large-scale data processing operations.

Perhaps the most important condition is the DPO’s early participation in all issues relating to data protection. This might seem obvious, but in many cases it’s not. To guarantee the DPO’s full involvement, it’s essential to embed the role in your organization’s governance structure. The governance structure and operating model regarding the DPO should align perfectly with your organization’s overall privacy risk management framework.

What you can do now

There’s no one size fits all approach to positioning the DPO. Your organization will need to make decisions on next steps. Prepare by:

Analyzing whether the DPO obligation applies to your organization and documenting your analysis. That way, if the regulator asks for it at a later stage, you have the required documentation.

Assessing your organization’s current privacy function by reviewing who’s involved and the amount of time spent on privacy compliance. Compare this with the organization’s data processing activities and the privacy team’s desired size. Then appoint one or more individuals to fulfill the DPO role and to support the DPO to the extent relevant for your organization. Be mindful that external support can be hired to fill the DPO role as well as the DPO support functions.

Empowering the DPO in your organization. Articulate the importance of the role within the organization and raise internal awareness. Be sure that employees know about the DPO’s role and tasks and let external stakeholders know who to contact.

In exactly one year after the publication of this blog, the GDPR will be enforced. The DPO will have a key role in overall data privacy compliance. It’s important to remember that the DPO can only be as successful as the privacy team they work in and the organization’s level of privacy risk management. The clock is ticking. Make sure that your organization is ready for the DPO and other GDPR requirements.

KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.